Boffins in Austria have developed a defense against acoustic cookies, a form of ad tracking by which smartphones can send and receive data using sounds people can't hear.
App developers can implement ultrasound data transfer on their own or using various SDKs, such as XT Audio Beacons or Lisnr, or the Google Nearby API.
How TV ads silently ping commands to phones: Sneaky SilverPush code reverse-engineeredREAD MORE
Generally, this is done for tracking ad views across multiple devices, though covert audio signals can also serve more malicious purposes such as data exfiltration or surveillance. It has even been theorized that symptoms experienced by US diplomats in Cuba, and more recently in China, may be the result of exposure to ultrasonic waves.
According to TU Braunschweig research published last year, 234 Android applications that use ultrasonic beacons were found in the Google Play Store. Google subsequently required app developers to disclose microphone usage properly and removed non-compliant apps.
Even done with permission, apps using inaudible soundwaves to communicate silently with other devices – tracking TVs ads viewed, for example – invite privacy and security concerns.
To give smartphone users some say in the matter, researchers Matthias Zeppelzauer, Peter Kopciak, Kevin Pirner, Alexis Ringot and Florian Taurer, with the St. Pölten University of Applied Sciences in Austria, created a sonic firewall called SoniControl to intercept ultrasound beacons.
"There is currently no technology on the market that can detect and block acoustic cookies," said Zeppelzauer, senior researcher the Institute of Creative Media Technologies at St. Pölten University, in a statement. "The application developed in this project represents the first approach that gives people control over this type of tracking."
Available as open source and as an Android app, SoniControl works by interfering with ultrasonic data transfer. It plays its own inaudible sound through a smartphone's speaker system, masking the acoustic cookies so they're not recognized.
The silent cookie killer also gives users the option to allow certain acoustic beacons to be set.
Another option involves denying apps microphone access as a precaution, but doing so precludes the possibility of voice-based interaction.
The project was funded by Austria's netidee initiative, which helps local researchers develop internet technology. ®
Sponsored: Ransomware has gone nuclear